Re: CGI::Application and CGI security

After reading the replies, I decided to test the $CGI::POST_MAX values. This is supposed to prevent DoS attacks by limiting the size of POST data, but I can't tell that changing the value makes any difference. My question now is, what is the expected behaviour if $POST_MAX is exceeded and everything works as it should? For instance, the following code executes with no warnings or errors:

display form

#!/usr/local/bin/perl
use strict;
use warnings;
use CGI;

$CGI::DISABLE_UPLOADS = 1; # Disable uploads
$CGI::POST_MAX        = 0; # Maximum number of bytes per post

my $cgi = CGI->new();

print $cgi->header();
print "
<html>
   <body>
   <form method='post' action='posttest.pl'>
      Username <input type='text' name='uid' size='15' value=''>
      <br><br>
      Password <input type='password' name='passwd' size='10' value=''
+>
      <br><br>
      <input type='hidden' name='rm' value='test'>
      <input type='submit' name='submit'>
   </form>
   </body>
</html>
";
[download]

parse form

#!/usr/local/bin/perl
use strict;
use warnings;
use CGI;

$CGI::DISABLE_UPLOADS = 1; # Disable uploads
$CGI::POST_MAX        = 0; # Maximum number of bytes per post

my $cgi = CGI->new();

my $uid    = $cgi->param('uid');
my $passwd = $cgi->param('passwd');
my $rm     = $cgi->param('rm');

print $cgi->header, $cgi->start_html;

print "uid: '"    . $cgi->param('uid')    . "<br>";
print "passwd: '" . $cgi->param('passwd') . "<br>";
print "rm: '"     . $cgi->param('rm')     . "'";
[download]

Comment on Re: CGI::Application and CGI security Select or Download Code

Replies are listed 'Best First'.
Re^2: CGI::Application and CGI security by derby (Abbot) on Jun 30, 2004 at 17:34 UTC
Interesting ... from the CGI docs: `$CGI::POST_MAX If set to a non-negative integer, this variable puts a ceiling on the size of POSTings ... An attempt to send a POST larger than $POST_MAX bytes will cause param() to return an empty CGI parameter list. You can test for this event by checking cgi_error(),` [download] However looking at the CGI code ($CGI::VERSION=3.05;), I see the following check: `METHOD: { # avoid unreasonably large postings if (($POST_MAX > 0) && ($content_length > $POST_MAX)) { # quietly read and discard the post my $buffer; my $max = $content_length; while ($max > 0 && (my $bytes = $MOD_PERL ? $self->r->read($buffer,$max < 10000 ? $max : 10000) : read(STDIN,$buffer,$max < 10000 ? $max : 10000) )) { $self->cgi_error("413 Request entity too large"); last METHOD; } }` [download] I think that would be a bug in CGI.pm (anyone want to tell Lincoln). It seems to me that the line should be `if (($POST_MAX > -1 ) && ($content_length > $POST_MAX))` [download] but then again ... setting $CGI::POST_MAX to 0 is kinda silly in a real world context. -derby	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: CGI::Application and CGI security
by derby (Abbot) on Jun 30, 2004 at 17:34 UTC

CGI

$CGI::POST_MAX
 If set to a non-negative integer, this variable puts a
 ceiling on the size of POSTings
...
 An attempt to send a POST larger than $POST_MAX bytes
 will cause param() to return an empty CGI parameter list.
 You can test for this event by checking cgi_error(),
[download]

However

CGI

METHOD: {
   # avoid unreasonably large postings
   if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {
      # quietly read and discard the post
      my $buffer;
      my $max = $content_length;
      while ($max > 0 &&
        (my $bytes = $MOD_PERL
                  ? $self->r->read($buffer,$max < 10000 ?   
                    $max : 10000)
                  : read(STDIN,$buffer,$max < 10000 ? $max : 10000)
      )) {
      $self->cgi_error("413 Request entity too large");
      last METHOD;
   }
}
[download]

if (($POST_MAX > -1 ) && ($content_length > $POST_MAX))
[download]

-derby

[reply]
[d/l]
[select]